Conditional Differential Cryptanalysis of NLFSR-Based Cryptosystems

Simon Knellwolf and Willi Meier and María Naya-Plasencia

Non-linear feedback shift registers are widely used in lightweight
cryptographic primitives. For such constructions we propose a general analysis
technique based on differential cryptanalysis. The essential idea is to
identify conditions on the internal state to obtain a deterministic
differential characteristic for a large number of rounds. Depending on whether
these conditions involve public variables only, or also key variables, we
derive distinguishing and partial key recovery attacks. We apply these methods
to analyse the security of the eSTREAM finalist Grain v1 as well as the block
cipher family KATAN/KTANTAN. This allows us to distinguish Grain v1 reduced to
104 of its 160 rounds and to recover some information on the key. The technique
naturally extends to higher order differentials and enables us to distinguish
Grain-128 up to 215 of its 256 rounds and to recover parts of the key up to 213
rounds. All results are the best known thus far and are achieved by experiments
in practical time.